Organisations implement ERP (Enterprise Resource Planning) systems like SAP to improve and automate business processes. Expected benefits of implementation include a reduction in the cost of operations, greater asset efficiency, and enhanced quality of information. The ERP system are the backbone of many large organisations and are critical to successfully running business operations.

The complexity of ERP systems means they generally have a diverse set of stakeholders in the enterprise and may have been in situ for many years.

In a recent report issued by Onapsis researchers found more than 95% of systems are exposed to SAP vulnerabilities that could lead to a detrimental compromise of enterprise data and processes. These issues were identified through hundreds of security assessments of SAP systems.

The main three attack vectors were :

1. Customer web portal without proper security; Customer Web portals that are exposed to the Internet may not have the level of security that is required. These portals allow customers to connect from anywhere to place orders. However, this customer Web portal can be used as part of an attack, with the attacker pivoting from the lower-security system to other more critical systems, and eventually the entire SAP system.
2. Malicious accounts being used in customer or supplier portals. Customer and supplier portals could potentially be infiltrated. Backdoor users could pivot the SAP portals and other platforms to continue on and attack the internal network. This was the reason for the Target breach. (associated blog)
3. Vulnerabilities in the underlying database protocols. An attacker can exploit insecure database protocol configurations that would allow them to execute commands on the operating system. At this point, the attacker has complete access to the operating system and can potentially modify or disrupt any information stored in the database.

Best practices for ERP security:

Network Activity Monitoring

Security technologies such as an SIEM monitoring, IDS, Sandboxing and Log Management tools among others should be in place and can be specifically tuned to monitor a SAP system. These can be delivered from custom SOC – Security operation centres.

Identity Access Management

Role-based access control is critical for application security. It should also extend to other aspects of the system so proper separation of duties is upheld to limit the risk of rogue use. This can also be monitored through a centralised SIEM.

ERP Log Analysis

Monitoring ERP or your SAP logs is necessary to identify compromised accounts or other malicious activity at the application level. Using the concept of least privilege including restricted network access throughout. This will make it more difficult for an attacker to find an exploitable vulnerability to gain complete access or to easily identify other systems to attack.

Patch & SAP Vulnerabilities Mangement

All systems must have basic information security hygiene in place to prevent security incidents. These basic steps are necessary to prevent, mitigate, defend and monitor for security incidents. SAP has a security guide and SearchSAP has many resources on the basic security controls necessary for a SAP system. This includes vulnerability management, patch management and role based access control.
Vulnerability management can be implemented in an SAP system by periodically scanning application, Web, database and other associated servers. Then feeding that data into a patch management program for testing and deployment. Given the critical nature of SAP systems, one major concern for ongoing security controls has been the potential for downtime from security. If an SAP system can’t be “down” for business reasons, plans should be in place on how to apply patches or make other security changes without disrupting operations. This might include ensuring a high-availability system is in place, such as a backup system. This should automatically take over when the primary system is being patched or is having changes made.

Business Impact Analysis

All organisations need to have a BIA (Business Impact Analysis) and understand the implications of a breach on various systems. All assets on the network need to be included in the BIA. This needs to be cross referenced with the information security program.

Summary

The problem with security relating to ERP systems is that there can be a disconnect between the security team and the ERP operations team. Standard security protocols which have been implemented in the rest of the organisation are often overlooked by the ERP operations team. Enterprises need to ensure all systems are part of their information security program — including ERP systems.

Excluding ERP systems in the past is what has allowed for these basic security vulnerabilities to still be present in systems today. Some of these vulnerabilities have been well known in the information security community for decades. Applying the processes and fixes found outside SAP systems can significantly improve SAP vulnerabilities. It can also prevent more severe incidents from affecting critical business operations.

For more information on how to protect your ERP system contact us today!

Smarttech247